FIPS 199 and 200 were the first NIST publications

categorizing and establishing federal standards for digital data governance. These and subsequent applicable standards are listed below, including summaries outlining organizational responsibilities for FISMA compliance. (Complete standard and publications list available at  NIST.gov). Following the NIST list will be a list of CorreLog functions that assist with maintaining FISMA compliance. 

NIST FIPS Publication 200 and 199

– categorize information systems and implement security controls in areas such as authentication, auditing, accountability, etc. 

NIST FIPS Publication 200

– Minimum Security Requirements for Federal Information and Information Systems • Lists the minimum security requirements for 17 security-related areas for protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. • Covers access control (authentication), awareness and training, auditing and accountability, and more areas that must be incorporated into a minimum InfoSec process.

NIST SP 800-37

– Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • Lists requirements for integrating an organizationwide IT risk management framework, establishing security controls, and monitoring security controls • Outlines management of cyber-security risks for mitigation and well-informed risk-based decisions for organizations’ mission/business strategies

NIST SP 800-39

– Managing Information Security Risk Organization, Mission, and Information System View • Lays out process for identifying, assessing, monitoring, and responding to risk throughout all three tiers of the organization: 1) the organization itself, 2) mission/business processes, and  3) information systems • Provides effective governance of risk management best practices in order to achieve mission/business success

 NIST SP 800-37, Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems, dated February 2010. http://csrc.nist.gov/publications/nistpubs/800-37-r

NIST SP 500-292

  NIST Cloud Computing Reference Architecture, dated September 2011. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 

NIST SP 800-53

  Recommended Security Controls for Federal Information Systems and Organizations, Revision 4, dated April 2013. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf  Note:  http://csrc.nist.gov/publications/PubsSPs.html contains additional documents relating to SP 800-53.

NIST SP 800-59

 Guideline for Identifying an Information System as a National Security System, dated August 2003. http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf

NIST SP 800-66, Revision 1

  An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, dated October 2008. http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

NIST SP 800-39

– defines the components of an ongoing risk management improvement strategy, including response to risk once determined and monitoring risk on an ongoing basis for continuous risk management strategy improvement. 

NIST SP 800-53

– addresses “overlays” for specialized requirements per industry, organization, and/or agency. 

NIST SP 800-137

 – integrate all three tiers of the organization – Organizational Governance & Strategy, Business Processes, and Information System Operating Environment – into a six-step Risk Management Framework (RMF) to continually improve InfoSec and risk-based decision-making

– InfoSec Continuous Monitoring for Federal Information Systems and Organizations • Outlines InfoSec continuous monitoring (ISCM) for risk-based decision-making by maintaining visibility over all IT assets, monitoring for changes to IT infrastructure, and maintained awareness for the nature of dynamic threats/vulnerabilities with “near real-time” capabilities. • Lists requirements for defining ISCM strategy, establishing and implementing a program, assessing efficacy, and updating the strategy/program as necessary. 

NIST SP 800-53

 – Security and Privacy Controls for Federal Information Systems and Organizations • Establishes requirements for IT security control structures, baselines, and designations • Provides guidelines for selecting security control baselines, tailoring baselines, and creating a framework for security control processes with possible “overlays” per sector.

NIST SP 800-145

 The NIST Definition of Cloud Computing, dated September 2011. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf 

NIST SP 800-88, Revision 1

 Draft: Guidelines for Media Sanitization, dated September 2012.  http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf 

NIST SP 800-122

  Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), dated April 2010. http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

NIST SP 800-144

  Guidelines on Security and Privacy in Public Cloud Computing, dated December 2011. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf